Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Automotive Grade Linux(AGL) MEDIAPLAYER Crash

Description

Download the latest version of AGL : https://download.automotivelinux.org/AGL/release/octopus/latest/raspberrypi4/deploy/images/raspberrypi4-64/

(This version is referred to as the release version.)

 

I ran the image on Raspberry Pi 4 and found a bug in the mediaplayer.

The MDP version used by AGL is 0.23.6, but as a result of checking the source of the latest version, 0.23.11, it seems that the corresponding part is not patched.

 

After creating a malicious MP3 file, I used a USB to play the media file on AGL.

 

Then, AGL caused a crash for mediaplayer (coredump).

I checked this crash using journalctl.

 

 

 

 

 

After that in AGL, MEDIAPLAYER does not work again (no response when pressed, Absence of watchdog).

 

I will attach different files that cause the crash.

 

Check it out and let me know. 

 

Thanks!!

Environment

raspberry4

Attachments

9

Activity

Walt MinerMay 23, 2023 at 1:33 PM

Close for NN 14.0.5 and OO 15.0.2

Scott MurrayMay 15, 2023 at 4:33 PM

I finally remembered that I'd not bumped the SRCREV of mpd to pick up the change, I did so before the builds of Needlefish 14.0.5 and Octopus 15.0.2 last week.

euntaejangFebruary 20, 2023 at 9:51 PM

Thanks

I will wait and look forward to it.

Scott MurrayFebruary 20, 2023 at 3:05 PM

For filing a CVE, I would probably suggest just mentioning libqtappfw.  I can bump the version number once https://gerrit.automotivelinux.org/gerrit/c/src/libqtappfw/+/28515 gets merged if that would help.

euntaejangFebruary 20, 2023 at 12:31 AM

Hi  

 

Thank you. I checked the links you provided and appreciate your hard work in identifying the root cause of the vulnerability.

However, I am having difficulty submitting a CVE to MITRE for AGL due to the vulnerability being linked to multiple open sources, such as libqtappfw and libmpdclient.

If it is possible for you to submit a CVE for me, I would appreciate it, but if not,  contributing to the security of AGL is satisfying enough for me, and I am grateful for the opportunity to have done so.

Best regards."

Fixed

Details

Assignee

Reporter

Fix versions

Labels

Hardware Platform(s) Affected

Raspberry Pi 4

Original estimate

Time tracking

No time logged4d remaining

Components

Due date

Priority

Created December 29, 2022 at 3:11 AM
Updated May 23, 2023 at 1:33 PM
Resolved May 15, 2023 at 4:33 PM